BE: Add filtering for `cluster agent` to vulnerability report graphQL query
Why are we doing this work
In order to add dropdown filters for cluster in issue #337882 (closed), we need to support this filter in the relevant GraphQL query when vulnerability was added by Kubernetes agent and is not associated with the cluster, but with cluster agent.
Relevant links
Non-functional requirements
-
Documentation: update https://docs.gitlab.com/ee/user/application_security/cluster_image_scanning/#cicd-variables-for-cluster-image-scanning with new variable CIS_CLUSTER_AGENT_IDENTIFIER
- [-] Feature flag:
- [-] Performance:
- [-] Testing:
Implementation plan
-
documentation Add information about CIS_CLUSTER_AGENT_IDENTIFIER
variable to https://docs.gitlab.com/ee/user/application_security/cluster_image_scanning/#cicd-variables-for-cluster-image-scanning -
backend Read CIS_CLUSTER_AGENT_IDENTIFIER
(If exists) variable in cluster-image-scanning analyzer (https://gitlab.com/gitlab-org/security-products/analyzers/cluster-image-scanning) and add that value tolocation.kubernetes_resource.agent_id
of Security Report JSON for each Vulnerability. -
backend Read location.kubernetes_resource.agent_id
from the report JSON and add toLocations::ClusterImageScanning
and use it to fingerprint the location by extendingfingerprint_data
method -
backend Extend Vulnerabilities::Finding
(https://gitlab.com/gitlab-org/gitlab/blob/master/ee/app/models/vulnerabilities/finding.rb#L4) with new scopeby_location_cluster_agent
:scope :by_location_cluster_agent, -> (cluster_agent_ids) { where("vulnerability_occurrences.location -> 'cluster_agent_id' ?| array[:cluster_agent_ids]", cluster_agent_ids: cluster_agent_ids) }
-
backend Extend EE::Vulnerability
(https://gitlab.com/gitlab-org/gitlab/blob/master/ee/app/models/ee/vulnerability.rb#L4) with new scope that uses new scope added inVulnerabilities::Finding
, ie:scope :with_cluster_agent_ids, -> (cluster_agent_ids) { joins(:findings).merge(Vulnerabilities::Finding.by_location_cluster_agent(cluster_agent_ids)) }
-
backend Extend Security::VulnerabilitiesFinder
(https://gitlab.com/gitlab-org/gitlab/blob/master/ee/app/finders/security/vulnerabilities_finder.rb#L20)execute
method (https://gitlab.com/gitlab-org/gitlab/blob/master/ee/app/finders/security/vulnerabilities_finder.rb#L20) with new methodfilter_by_cluster_agent_id
that uses scope defined inVulnerability
, -
backend Extend Resolvers::VulnerabilitiesResolver
(https://gitlab.com/gitlab-org/gitlab/blob/master/ee/app/graphql/resolvers/vulnerabilities_resolver.rb#L4) with new argument (:cluster_agent_id, [GraphQL::Types::String], required: false
)
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.